We are looking for great projects that will help make the world a place where insecure software is the exception, not the rule. We'll consider any kind of project including tools, knowledgebase, process, marketing, etc...

OWASP Projects

See the current project list at OWASP Projects and contact the project's leaders if you have specific ideas

SpoC 007

Help with SpoC 007 initiative

project manage SpoC 007 projects

ensure all projects are going smoothly

General Ideas

Develop a JavaScript library to fingerprint a good guy browser connection as opposed to a bot or other bad guy attacker.

OWASP Honeycomb Project: Normalize the CLASP and VulnCat data and help to release the Honeycomb user's guide

Help to Complete V2.0 of WebScarab and package it as product

Integrate WebGoat with with SiteGenerator

Complete the 'Owasp membership pack'

Create the next version of 'Owasp Live CD'

Organize the 'OWASP branding project' and make a 1st pass at the current abuses of the OWASP brand

Create Training materials for OWASP projects (from tools to guides)

AppSec Principles - do some research and flesh out one of the OWASP principles. Talk about how the principle works in general, and then examine how it is applied in various contexts

Attacks - flesh out the list of attacks, develop each one with content and links

Vulnerabilities - work to fill out writeups of vulnerabilities and clean up the vulnerability lists. There's lots of linking to other articles here needed. We're integrating CLASP, CWE, Fortify, and other sources of vulnerabilities to make the best resource anywhere.

Countermeasures - general cleanup and linking of these articles. Probably some stubs in there that need significant writing

Java Project - great opportunity to do research and bring together all the best information in one place for Java developers

Medium or Large Projects

OWASP Corporate Application Security Rating Guide - Help us examine the application security practices of the corporate world. How about assessing the top 50 companies and top 50 software companies for their practices. The goal is to make it public what companies are doing in this area. The link is just an idea of how it might work!

Static Analysis to Pentest - Write a tool that takes the output of static analysis and turns it into penetration test cases

Security Test Automation - Make WebScarab generate, record, and playback security test cases (think JUnit) so that you can do regression security testing

Open Threat Modeling - Build an open threat modeling tool like Microsoft's but not so cumbersome

Data Flow - Adding true data flow analysis to LAPSE. Check out the jDFA project at sourceforge to see whether that can be applied to find tainted data attacks like XSS and SQL injection (as well as others)

Security Across the SDLC - Integrated security activities across the lifecycle. Currently people are talking about âtouchpointsâ and âactivitiesâ but thereâs no unifying line of sight or theme.

Honeycomb - It seems simple, but when you start trying to organize ALL the information thatâs out there it gets incredibly difficult. The simple taxonomies are wrong, bad, and misleading. Honeycomb is using a folksonomy approach that I hope will allow us to do something new here. But it really needs someone to think it through â perfect for a thesis.

LiveCD Education Project - The LiveCD project is a phenomenal idea. What it needs to really take flight is information that educates the user on every aspect. This project will generate text tutorials, video tutorials, and other learning media that will help users learn how to use the LiveCD along with the tools which it encompasses.

OWASP .Net Project

Organize the current OWASP .NET Project in a similar way to the Java Project

Cross reference the .NET material in the other OWASP projects (Testing Guide, HoneyComb,etc...) and add more articles specific to .NET security

Expand Dinis Cruz' research on .Net partial trust and create a Proof of Concept application showing how .Net's Partial Trust Sandbox can be used to mitigate against most Web Application Attacks (extra bonus points if a Java demo is also delivered :)

OWASP Site Generator

Add more vulnerabilties (and document them using ORG)

Implement the new engine (http based using interfaces) which allows the use of any backend web technology

Source code audit tools that identify vulnerabilities or areas that might have vulnerabilities

".Net Time-machine (ala Flight Recorder)" - ability to record the entire state of all objects during a .Net Execution and allow the execution, debugging and fuzzing from any arbitrary point (see Javaâs DeJaVu and JaRec Projects (I remember seeing another PoC of this type of tool, but canât seem to be able to find the link))

Smart fuzzers (to find run-time vulnerabilities)

âSecurity rating calculatorsâ which will give a product (or dll) a rating based on the âthreat profile of that applicationâ (for example the more unmanaged code, the worse rating) . This will be a very important part of the âPartial Trust Brandâ

Development environments that allow the development of complex and feature rich partial Trust applications like IE in managed code

New Virtual PC Execution environments that allow the safe execution of âpotential malicious applicationsâ whose interface with the userâs assets are controlled by a managed/verifiable application (and CAS policies)

âWhat is going onâ tools. When I run an application I need to know EVERYTHING it does. And if the application somehow escapes the âexecution monitoring systemâ I want to know that it did. Now that Microsoft bought SysInternals, can we have a massive boast on those tools capabilities?. This tools must also build CAS polices based on what they detected the target application needs.

Tools that allow the easy development and use of CAS and RBS (Role Base Security) and frameworks for securing an applicationâs Business-Logic (for example using a CAS to prevent the user accountâs from being changed, or an bank account from being accessed)

Code Coverage Tools - To know how much of an application has been tested, fuzzed or executed

âReal time Hot Patching of Jitted methods (without using the .NET profiler)â - For advanced defence solutions we will need the capability to make changes to jitted code (i.e . writing patches in C#)

ASP.NET

A framework similar to Struts (which force the developers to do the right thing (i.e. explicitly define all inputs into their application)

IDS (Intrusion Detection Systems) with the capability to change the applicationâs behaviour when under attack

Native Http Pipeline for IIS 5 and 6 (similar to what seems that will happen in IIS 7). This will be very important to protect ASP Classic pages

CAS demands for dangerous methods (for example methods and classes that allow SQL Injections, XSS, etcâ¦). The current CAS permissionâs model is designed to protect the server and the other co-hosted applications. This needs to be extended so that CAS can be used to protect the actual application from vulnerabilities in its code